Posted On // Leave a Comment
Title:-   Reflected XSS vulnarbility in Asus RT-N10 Plus router
Author:   Kaustubh G. Padwad
Product:  ASUS Router RT-N10 Plus
Severity: Medium
Auth:     Requierd

# Description: 
Vulnerable Parameter: flag=
# Vulnerability Class:
Cross Site Scripting (

# About Vulnerability: Asus Router RT-N10 Plus with firmware is vulnarable for crosss site scripting attack,this may cause a huge network compemise.

#Technical Details: The value of the flag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d was submitted in the flag parameter. This input was echoed unmodified in the application's response.

#Steps to Reproduce: (POC):
After setting up router
Enter this URL 

2. this will ask for creadintial once creatintial enterd it will be successfull XSS

# Disclosure: 
8-jan-2015 Repoerted to ASUS 
9-jan-2015 Asus confirm that they reported to concern department
15-jan-2015 Ask for update from asus asus says reported to HQ
28-jan-2015 Ask asus about reporting security foucus No reply from ASUS
29-jan-2015 security focus bugtraq

Kaustubh Padwad
Information Security Researcher



Post a Comment